X

News, tips, partners, and perspectives for the Oracle Solaris operating system

Encrypting /var/tmp & swap in Solaris 11 Express

Darren Moffat
Senior Software Architect

As some readers might remember from previous posts it isn't possible in Solaris 11 Express to boot from an encrypted ZFS dataset.  However it is possible to have encrypted swap space and thus (by default) an encrypted /tmp.  That still leaves /var/tmp unencrypted

First lets look at swap space encryption.  That is as simple as putting the word "encrypted" into the mount options field of /etc/vfstab for the swap ZVOL.  If swap is a ZVOL then ZFS encryption will be used, if swap is a raw disk slice or file then lofi will be interposed between the device/file using a randomly generated key.  That is a fully supported solution in Solaris 11 Express implemented by the swapadd command.

For encrypting /var/tmp we need to beyond the provided services and the following (unsupported) method takes its lead from what I did for swapadd and applies it to /var/tmp.  Note however that this assumes that nothing in /var/tmp should be preserved on boot and won't even be readable from another boot environment, so if you use this don't put stuff into /var/tmp you want to get access to after a reboot.

This takes advantage of the fact that in SMF we can place dependencies onto other services without modifying them.  So while the following makes some basic assumptions about the Solaris ZFS datasets layout it doesn't require modifying any existing binaries or configuration files.

We create a new service svc:/site/system/filesystem/tmp:default this service will create an encrypted dataset for /var/tmp using the manifest and method script that follows:


<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<!--
CDDL HEADER START
The contents of this file are subject to the terms of the
Common Development and Distribution License (the "License").
You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
or http://www.opensolaris.org/os/licensing.
See the License for the specific language governing permissions
and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each
file and include the License file at usr/src/OPENSOLARIS.LICENSE.
If applicable, add the following below this CDDL HEADER, with the
fields enclosed by brackets "[]" replaced with your own identifying
information: Portions Copyright [yyyy] [name of copyright owner]
CDDL HEADER END
Copyright (c) 2011, Oracle and/or its affiliates. All rights revserved.
-->
<service_bundle type='manifest' name='darrenm:etmp'>
<service
name='site/system/filesystem/tmp'
type='service'
version='1'>
<create_default_instance enabled='true' />
<single_instance />
<dependency
name='cryptosvc'
grouping='require_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/system/cryptosvc' />
</dependency>
<dependent
name='var-tmp'
grouping='optional_all'
restart_on='none'>
<service_fmri value='svc:/system/filesystem/minimal' />
</dependent>
<exec_method
type='method'
name='start'
exec='/lib/svc/method/site-etmp'
timeout_seconds='30' />
<exec_method
type='method'
name='stop'
exec=':true'
timeout_seconds='1' />
<property_group name='startd' type='framework'>
<propval name='duration' type='astring' value='transient' />
</property_group>
</service>
</service_bundle>

#!/usr/sbin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
#
# /lib/svc/method/site-etmp
zfs destroy rpool/tmp > /dev/null 2>&1
zfs create -o mountpoint=/var/tmp -o encryption=on -o keysource=raw,file:///dev/random rpool/tmp
chmod 1777 /var/tmp
exit 0

On reboot what will happen is that a new dataset for /var/tmp will be created.   It would be possible to have a more sophisticated method script that doesn't use a hardcoded dataset name of root/tmp but this seems sufficient for now.  It will look something like this:

darrenm-pc:pts/1$ cd /var/tmp
darrenm-pc:pts/1$ df -hl .
Filesystem Size Used Available Capacity Mounted on
rpool/tmp 113G 79K 77G 1% /var/tmp
darrenm-pc:pts/1$ ls -ld .
drwxrwxrwt 5 root root 5 May 10 14:39 ./
darrenm-pc:pts/1$ zfs get encryption,keysource,keystatus rpool/tmp
NAME PROPERTY VALUE SOURCE
rpool/tmp encryption on local
rpool/tmp keysource raw,file:///dev/random local
rpool/tmp keystatus available -
 

                                         
    
                    
          
        
              
       

                                
                                                                

Join the discussion

Comments ( 4 )
  • Chris Gerhard Wednesday, May 11, 2011
    Before you enable this be sure to empty /var/tmp so that the mount does not complain about it containing data.
  • guest Wednesday, October 5, 2011

    Hi,

    Although encrypting the /tmp worked well with Solaris 11 Express, I encounter a problem (a bug?) which prevents the recreation of the rpool/swap dataset at each boot, leaving the system without a SWAP device configured. The problem seems to be related to the fact that the swap command sets (directly, or indirectly) some properties of the dataset during the addition of the SWAP device, in particular the encryption property to 'aes-128-ctr', which is unfortunately not recognized by ZFS as a valid encryption algorithm. This leads the system to destroy the rpool/swap dataset each time it is booting, but without be able to recreate it... and thus with no SWAP device available for use.

    Is this a known problem? Is there a workaround for this problem on Solaris 11 EA (hope this will be fixed in Solaris 11 GA)?

    --

    Best regards,

    Julien Gabel.


  • guest Tuesday, May 7, 2013

    The 'aes-128-ctr' issue is still unfixed in Solaris 11.1; they managed to dump all zfs destory/zfs create -o encryption=on commands from /usr/sbin/swapadd though; so setting swap to encrypted in /etc/vfstab will use lofi. Using zfs crypto on your swap zvol seems to be unsupported.


  • Darren J Moffat Wednesday, May 8, 2013

    The use of lofi for swap is intentional and you can not use the ZFS dataset encryption on a swap ZVOL at this time. This is a known issue.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.